ISS is not alone. There is an interesting lesson to be learned here. While 'false positives' are easy to spot (if you admin the box), 'false negatives' are not so easy to identify. Both do exist in all security scanner products I have seen. I do believe that there should probably be some more documentation on ISS's part. However the same goes for other vendors. There are many ways to deal with 'false negatives' such as printing a list of everything that the product scans for and saying 'hey I tested these vulnerabilities, I don't think your vulnerable, but can't prove it 100%'. In my opinion that is not acceptable. So what does that mean.... Well my take on it is this. No commerical product will provide an absolute vulnerability list 100% of the time. Once again proving that there will always be a market for 'true' security professionals. my last 2 cents .... joej Mr_JoeJat_private -------------------------------- aleph1: lets kill this thread, I'm tired of getting email bout it. Let's move to fry bigger fish. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:51 PDT